Brute-force attacks are a common way to compromise password-protected accounts. For example, a program may automatically try a list of thousands of different passwords from a dictionary file until some password is correct and access to the account is granted. For this reason, users are typically advised to choose passwords that are not easily guessed, that are of a certain length, and that include both upper and lower case letters, numbers, and special characters. Also, rate-limiting (e.g., five login attempts per minute) or account lockout policies (e.g., disabling access after five incorrect login attempts) may be used to combat brute-force attacks.